IBM Security Z Security

 View Only
  • 1.  ICH408I error during Setup and use of the zSecure Visual Server 2.4.0

    Posted Tue December 01, 2020 03:09 PM

    Greetings all,

     

    I completed the installation of the zSecure Visual Server 2.4.0, but I am receiving the following error when I start up C2RSERVE.  

     

     

    ICH408I USER(C2RSERVE) GROUP(STCGRP  ) NAME(STARTED USER        ) 270     

      /u/c2rserve/server1//bin                                                

      CL(DIRACC  ) FID(D7F2F2D9E2F3092C000000006C3F006F)                      

      INSUFFICIENT AUTHORITY TO UNLINK                                        

      ACCESS INTENT(-W-)  ACCESS ALLOWED(OTHER      R-X)                      

      EFFECTIVE UID(0000000077)  EFFECTIVE GID(0000000005)                    

     

    STCGRP is started group. C2RSERVE is a member of started group.

     

    CLASS      NAME           

    -----      ----           

    STARTED    C2RS*.* (G)    

     

    USER      ACCESS        

    ----      ------        

    STCGRP    READ          

    C2RSERVE  READ          

    IBMUSER   READ          

     

    I attended STCGRP and C2RSERVE to the BPX.SUPERUSER profile. I tried chown and chmod commands but they are not effected.

     

    I used the following command

     

    chmod -R g+rwx /u/c2rserve/server1//bin   

     

    but didn't work.

     

    The status of directory in omvs is as follows.

     

    Ö ls -alt /u/c2rserve/server1//bin   

                                              

    lrwxrwxrwx   1 IBMUSER  OMVSGRP       19 Dec  1 14:41 /u/c2rserve/server1//bin –

     

    > /usr/lpp/c2r/V2R4M0                                                           

    Ö                                                                               

     

    I would greatly appreciate it if you kindly give me some feedback.

     

    iyi çalışmalar, saygılar / Regards

    ________________________________________________

    Kayhan TANRIVERİR
    Senior Systems Programmer & Consultant

    VBT Bilgi Teknolojileri A.Ş

    www.vbt.com.tr   
     
     

     



  • 2.  RE: ICH408I error during Setup and use of the zSecure Visual Server 2.4.0

    IBM Champion
    Posted Wed December 02, 2020 04:04 AM
    Edited by Rob van Hoboken Wed December 02, 2020 04:27 AM
    Hello Kayhan
    The ls command for /usr/c2rserve/server1//bin shows an OWNER value of IBMUSER.  I would have expected C2RSERVE to own the runtime directories (DATA) as listed in Table 7 of the Installation and Deployment manual.  It is achieved by the last step of initialization job C2RZWRUT:
    //CHOWN EXEC PGM=BPXBATCH,COND=(0,LT),
    // PARM='SH cd &C2RSERVE &&&& chown -R C2RSERVE:C2RSERVG .;ls -nalER'
    //STDERR DD SYSOUT=*,HOLD=YES
    //STDOUT DD SYSOUT=*,HOLD=YES

    If group C2RSERVG doesn't exist, you should put the right group name into this chown command.

    Also, you listed the Access Control List (permits) of the STARTED profile.  Please realize that the ACL of a STARTED profile should be empty, or at least know that permits on a STARTED profile are useless.

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 3.  RE: ICH408I error during Setup and use of the zSecure Visual Server 2.4.0

    Posted Wed December 02, 2020 06:06 AM
    Hi Rob,

    Thank you your response. I had been run C2RZWRUT job and it's ended successfully, but I rechecked after your response, I realized that  C2RSERVG dosen't exit. I defined C2RSERVG.  And run again C2RZWRUT job without mkdir -p &C2RSERVE step.  
    And also, you are right. I made empty of STARTED profile. so I passed the problem. But I got another error C2RSERVE started task ended with RC 08.

    +C2RW001I: 8000: IBMUSER: 67108973: Starting IBM Security zSecure Visual
    server with root /u/c2rserve/server1
    +C2RW006I: 8000: IBMUSER: 16777333: Cannot access program CKGRACF
    IEF404I C2RSERVE - ENDED - TIME=16.03.33
    .HASP395 C2RSERVE ENDED - RC=0008

    I could'nt foind the reason of error.

    Regards,



    Thank you very much.

    iyi çalışmalar, saygılar / Regards

    ________________________________________________

    Kayhan TANRIVERİR
    Senior Systems Programmer & Consultant

    VBT Bilgi Teknolojileri A.Ş

    www.vbt.com.tr   
     



    ------------------------------
    Kayhan Tanriverir
    ------------------------------



  • 4.  RE: ICH408I error during Setup and use of the zSecure Visual Server 2.4.0

    IBM Champion
    Posted Wed December 02, 2020 06:22 AM
    Edited by Rob van Hoboken Wed December 02, 2020 06:22 AM
    Kayhan
    The message you copied suggests the started task runs with user ID IBMUSER, not C2RSERVE:

    +C2RW001I: 8000: IBMUSER: 67108973: Starting IBM Security zSecure Visual server with root /u/c2rserve/server1
    +C2RW006I: 8000: IBMUSER: 16777333: Cannot access program CKGRACF

    Does your STARTED profile contain an STDATA segment?

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 5.  RE: ICH408I error during Setup and use of the zSecure Visual Server 2.4.0

    Posted Wed December 02, 2020 02:49 PM
    Hi,

    I solved the C2RSERVE startup problem in ZSecure visual 2.4.0 with your help.

    Thus, the problem of "ICH408I error during ZSecure Visual Server 2.4.0 installation and use" has been resolved.

    Thanks especially to Rob and Bob for their supports.

    Regards,

    Kayhan Tanriverir

    ------------------------------
    [Kayhan] [Tanriverir]
    [Sn. Systems Programmer]
    [VBT Bilgi Teknolojileri A.Ş]
    [Ankara] [Turkey]
    ------------------------------



  • 6.  RE: ICH408I error during Setup and use of the zSecure Visual Server 2.4.0

    Posted Wed December 02, 2020 02:53 PM

    Hi Rob,

     

    I solved the C2RSERVE startup problem in ZSecure visual 2.4.0 with your help.

     

    Thus, the problem of "ICH408I error during ZSecure Visual Server 2.4.0 installation and use" has been resolved.

     

    Thank you very much for your supports.

     

    iyi çalışmalar, saygılar / Regards

    ________________________________________________

    Kayhan TANRIVERİR
    Senior Systems Programmer & Consultant

    VBT Bilgi Teknolojileri A.Ş

    www.vbt.com.tr   
     
     

     






  • 7.  RE: ICH408I error during Setup and use of the zSecure Visual Server 2.4.0

    Posted Wed December 02, 2020 04:06 AM

    Hi Kayhan,

    that is a lot of information in one message.

    Let me try to digest what you are reporting here. I gather that you defined profile C2RS*.* in the STARTED class. You permitted READ access to the IDs STCGRP, C2RSERVE, and IBMUSER for this profile. These permissions are irrelevant, RACF does not use them. I suggest that you remove these permissions.

    What is important is what did you define in the STDATA segment of STARTED profile C2RS*.*?

    In the STDATA segment, you specify which user ID the C2RSERVE started task uses (probably you defined C2RSERVE) and to which group this user ID must be connected (probably you defined STCGRP here).  For the specified user ID and group ID, you can then check in their OMVS segment which UID you assigned to the user ID (C2RSERVE), and which GID to the group (STCGRP).

    I do not quite understand what you mean with the sentence "I attended the STCGRP and C2RSERVE to the BPX.SUPERUSER profile."?

    Do you mean that you permitted these IDs access to this profile. That permission allows user ID C2RSERVE to switch to SUPERUSER mode (UID(0)), but the script that you run doesn't switch to SUPERUSER mode. You can see in the violation message EFFECTIVE UID(0000000077)  EFFECTIVE GID(0000000005) that user ID C2RSERVE is using UID(77) and group STCGRP uses GID(5).

    The output of your ls -alt command reveals that the owner of the file is IBMUSER and the group owner is OMVSGRP.  When you issue command ls -ant instead, you see the owning UID and GID for /u/c2rserve/server1//bin. My guess is that the owning UID and GID do not match UID(77) and GID(5).
    Changing the owning UID to 77 and GID to 5 for /u/c2rserve/server1//bin will probably resolve this access issue.

    I hope that you find this information helpful.



    ------------------------------
    Tom Zeehandelaar
    z/OS Security Enablement Specialist - zSecure developer
    IBM
    Delft
    +31643351728
    ------------------------------